The Log4j vulnerability is so powerful that it appears to have brought many retired and dormant malicious actors out of the shadows.
Several cybersecurity researchers, including those at Sophos and Curated Intelligence, now say they have detected an attempt to distribute TellYouThePass, an older strain of ransomware considered dormant, via the Log4Shell vulnerability.
According to the researchers, the ransomware, last seen in July 2020, is being used against targets in China, the United States, and Europe, including Amazon and Google cloud services. Malicious actors target Windows and Linux devices, and the latter version can steal Secure Socket Shell (SSH) keys and perform lateral moves.
Incoming threat?
Abuse of Log4j to distribute ransomware is not yet widespread, the researchers say, noting that they have not yet observed any ransomware activity being implemented in this way.
However, that does not mean that ransomware operators are not going in this direction. This could mean that they are still in the discovery phase, moving through compromised networks, mapping endpoints and identifying key data.
Speaking to VentureBeat, Chris Neal, a threat researcher at Cisco Talos, said that preventing malware detection is crucial for malicious actors at this point: “After initial access, these attackers will typically choose to win. Persistence and then minimizing its footprint to avoid detection and recognition,” says Neal. "This type of behavior may explain the lack of ransomware campaigns using this observed exploit."
Stay away from crypto mining
At the moment, cryptomining appears to be the most popular way to abuse the log4j flaw, but with ransomware offering a much higher and faster ROI, researchers expect threat actors to rotate quickly.
“Some of these little things, like a crypto miner, can end up being just the first step in the attack,” Roger Koehler, vice president of threat operations at Huntress, told VentureBeat. “Because they can go and sell this access on the black market. And someone bigger and badder can buy that and do something more damaging like a ransomware attack. "
Ultimately, “these crypto miners may look small, but they can become something bigger.”
- You can also check our list of the best firewalls of the moment.
Via: VentureBeat